Skip to content
CVSS vs EPSS
Wondering about the main differences between the Common Vulnerability Scoring System and the Exploit Prediction Scoring System? The simple explanation is that CVSS assigns scores based on technical characteristics like attack complexity and potential impact, while EPSS uses machine learning to estimate the probability that attackers will exploit a vulnerability within 30 days.
If you’ve visited our site with concerns about a potential ransomware incident and are unsure how to deal with it, contact Zensec immediately. Our rapid cyber incident response teams are available 24/7 to contain infected systems, protect your critical assets, and start the recovery process.
This article examines how both systems work, their respective strengths and limitations, and how combining them creates a more effective approach to vulnerability prioritisation than using either one alone.
What is CVSS (Common Vulnerability Scoring System)
CVSS measures a vulnerability’s inherent technical severity, while EPSS predicts the probability that the vulnerability will be exploited in the wild.
The Common Vulnerability Scoring System (CVSS) assigns numerical scores from 0 to 10 based on a vulnerability’s technical characteristics, such as how an attacker might access the system, how complex the attack would be, and the potential damage it could cause.
A score of 9.0 or higher typically signals a critical vulnerability, while scores between 7.0 and 8.9 indicate a high CVSS score.
Why CVSS is Useful
Think of CVSS as a standardised ruler that security teams worldwide use to measure vulnerabilities. The system evaluates specific metrics like:
- Attack Vector: Can someone exploit this remotely, or do they need physical access?)
- Privileges Required: Does the attacker need admin rights?
- Potential Impact: The impact on confidentiality, integrity, and availability.
These metrics combine to create a base score that remains unchanged unless someone discovers new technical details about the vulnerability.
Potential Limitations of CVSS
CVSS tells you how bad things could get if someone exploits a vulnerability, but it can’t predict exploit likelihood (whether anyone actually will).
A remote code execution flaw that requires no user interaction receives a higher score than one requiring local access and admin privileges, that part makes sense. But two vulnerabilities with identical 9.5 scores might pose completely different real-world risks to your organisation.
CVSS also doesn’t accommodate other scoring systems, compensating controls, environmental metrics, or whether a critical system is affected. It also doesn’t account for risks in your software supply chain, where components from third-party vendors can introduce vulnerabilities.
CVSS Pros and Cons:
- Pros: CVSS gives security teams a common language. When a vendor publishes a CVSS score of 8.2, security professionals in London and Tokyo understand roughly what that means without lengthy explanations. The system also breaks down exactly why a vulnerability received its score, helping teams understand the technical nature of the threat.
- Cons: Yet relying only on CVSS creates problems. Organisations often find themselves drowning in “critical” and “high” severity vulnerabilities (sometimes thousands of them) with no clear way to decide which ones to fix first. CVSS also ignores your specific situation: whether the vulnerable system faces the internet, what security controls you have in place, or how critical that system is to your business operations. It doesn’t factor in imminent threats, your vulnerability’s potential impact or application security worries.
What is EPSS (Exploit Prediction Scoring System)
The Exploit Prediction Scoring System (EPSS) uses a machine learning model trained on underlying data, real-time data sources, and threat intelligence feeds to estimate the probability that someone will exploit a vulnerability within the next 30 days.
While CVSS measures severity, EPSS focuses on exploit prediction and exploit likelihood. It helps organisations isolate the most imminent threats.
Developed by the Forum of Incident Response and Security Teams (FIRST), EPSS analyses whether zero-day vulnerabilities, published exploit tools, or known flaws are being utilised.
It also looks at other factors, including vulnerability age, attacker behaviour, and patterns seen in exploit likelihood and most imminent threats.
How EPSS Scores Work
EPSS produces a numerical score from 0 to 1 (or 0% to 100%) and updates daily as new information and real-world exploit data come in.
A vulnerability might have a modest CVSS score of 6.5 but an EPSS score of 0.89, meaning there’s an 89% probability someone will exploit the vulnerability soon. Attackers could be actively using it in campaigns right now, or it could be exploited in the wild.
That’s the key difference: EPSS focuses on what’s actually happening in the real world, not just what could theoretically happen.
Only a small fraction of vulnerabilities are ever exploited, and EPSS helps you isolate the ones that attackers care about.
Why EPSS Matters
The system continuously learns from new data, so scores change as the threat landscape shifts. A vulnerability with a low EPSS score today might jump to high probability tomorrow if someone publishes working exploit code or if attackers start targeting it in the wild.
EPSS Pros and Cons:
- Pros: EPSS helps you focus on vulnerabilities that pose immediate danger rather than just theoretical risk. The daily updates mean you’re responding to current threats, not yesterday’s news. Research shows that combining EPSS with CVSS can help organisations address the most dangerous vulnerabilities while reducing remediation workload by up to 90% you’re fixing fewer things, but the right things.
- Cons: EPSS doesn’t measure what would happen if someone exploits a vulnerability in your environment, only how likely exploitation is somewhere in the world. Newly disclosed vulnerabilities may not yet have EPSS scores, creating a brief coverage gap. And because EPSS provides probabilities rather than certainties, a low score doesn’t guarantee safety, it just means exploitation is statistically less likely based on available data.
Key differences between CVSS and EPSS
CVSS and EPSS answer fundamentally different questions. CVSS asks “How bad would this be if exploited?” while EPSS asks “How likely is this to be exploited soon?”
Think of CVSS as measuring the size of a potential fire, while EPSS predicts whether someone’s actually holding a match.
The timing matters too. CVSS scores stay static unless someone discovers new technical details about the vulnerability, a score assigned in 2020 typically remains unchanged in 2025. EPSS scores update daily based on evolving threat intelligence, exploit availability, and observed attack patterns.
A vulnerability’s CVSS score might remain 9.8 for years, while its EPSS score bounces between 0.02 and 0.95 depending on whether attackers currently care about it.
Neither system knows about your specific situation. CVSS provides a universal severity rating that applies to any organisation, while EPSS reflects global exploitation trends that may or may not affect you. Neither considers whether your vulnerable systems are exposed to the internet, which security controls protect them, or how critical those systems are to your operations.
| Aspect | CVSS | EPSS |
|---|---|---|
| What it measures | Technical severity and potential impact | Probability of exploitation in next 30 days |
| Score range | 0 to 10 | 0 to 1 (0% to 100%) |
| Update frequency | Static (unless vulnerability details change) | Daily updates based on threat intelligence |
| Based on | Technical characteristics and theoretical impact | Machine learning and real-world threat data |
| Primary use | Understanding vulnerability severity | Prioritising based on exploitation likelihood |
How to use CVSS and EPSS together
Neither CVSS nor EPSS works as a complete solution on its own, they’re designed to complement each other. The most effective approach combines both systems to create a prioritisation framework that accounts for severity and exploitability simultaneously.
Start by identifying security vulnerabilities with both high CVSS scores (7.0 or higher) and high EPSS scores (typically 0.2 or 20% or higher, though your threshold might vary). These represent your highest priority: severe vulnerabilities that are actively being exploited. Fix these immediately.
Next, consider vulnerabilities with high EPSS scores even if their CVSS scores look moderate. A vulnerability scoring 6.5 on CVSS but 0.85 on EPSS deserves urgent attention because attackers are targeting it right now. Real-world exploitation matters more than theoretical severity when you’re facing an imminent threat.
Finally, you can deprioritise vulnerabilities with high CVSS scores but low EPSS scores (below 0.1 or 10%). While technically severe, the low exploitation probability means you can address them after handling more immediate threats. This approach lets your team focus limited resources where they’ll have the greatest impact on reducing actual risk.
When responding to an active ransomware incident, knowing which vulnerabilities attackers are actively exploiting becomes critical for containment and remediation. Contact us immediately for urgent ransomware recovery support.
Common vulnerability management challenges
Many organisations struggle with what security teams call “vulnerability overload”, thousands of identified vulnerabilities creating analysis paralysis. Relying solely on CVSS scores makes this worse by flagging hundreds or thousands of “critical” vulnerabilities that might never actually be exploited. Your team ends up wasting time patching low-risk issues while potentially missing actively exploited ones.
Failing to integrate secure development processes early can also lead to further vulnerabilities.
Another challenge involves balancing speed with stability. Security teams face pressure to patch quickly, but hasty remediation can cause system crashes or operational disruptions. Combining CVSS and EPSS helps you identify which vulnerabilities truly require emergency patching versus those that can follow standard change management processes.
Resource constraints complicate everything. Most organisations lack the staff and budget to patch everything immediately, making prioritisation essential rather than optional. A risk-based approach using both CVSS and EPSS ensures your limited resources address vulnerabilities most likely to be exploited, rather than simply those with the highest theoretical severity.
Additional vulnerability prioritisation factors
CVSS and EPSS provide valuable data, but effective vulnerability management requires considering additional context specific to your environment. Asset criticality plays a crucial role, a moderate vulnerability on a system processing payment card data deserves higher priority than a critical vulnerability on an isolated test server.
Compensating controls also influence risk levels. A vulnerability might have high CVSS and EPSS scores, but if the affected system sits behind multiple layers of network segmentation, firewalls, and intrusion prevention systems, the actual risk to your organisation drops. Conversely, internet-facing systems with high CVSS and EPSS scores require immediate attention because of their exposure.
The Known Exploited Vulnerabilities (KEV) catalogue maintained by CISA provides another valuable data point. When CISA adds a vulnerability to the KEV catalogue, it confirms active exploitation in the wild, making it a top priority regardless of CVSS or EPSS scores. Organisations in critical infrastructure sectors often use KEV as a mandatory patching trigger.
Implementing a risk-based vulnerability management program
Building an effective vulnerability management program starts with establishing clear prioritisation criteria for software vulnerability management that incorporate both CVSS and EPSS alongside your organisation’s specific risk factors.
Define what “critical,” “high,” “medium,” and “low” priority mean in your environment, taking into account severity scores, exploitation probability, asset criticality, and exposure.
Automation helps manage the sheer volume of vulnerability data. Modern vulnerability management platforms can automatically pull in CVSS, EPSS, and KEV scores, then apply your prioritisation rules to generate risk-ranked remediation queues. This automation frees your security team to focus on actually fixing vulnerabilities rather than spending days analysing them manually.
Regular communication with stakeholders proves essential for successful vulnerability management. System owners and business leaders benefit from understanding why specific vulnerabilities require immediate patching while others can wait. Explaining risk in terms of both severity (CVSS) and exploitation likelihood (EPSS) helps non-technical stakeholders grasp the urgency and business impact without getting lost in technical details.
Combining EPSS and CVSS in incident response
During incident response, CVSS and EPSS help identify the likely initial access vector and assess which other vulnerabilities attackers might exploit for lateral movement or privilege escalation. If you’re responding to a ransomware attack, checking whether any recently disclosed vulnerabilities with high EPSS scores are present in your environment can reveal potential entry points that attackers used.
Post-incident analysis benefits from reviewing CVSS and EPSS scores for exploited vulnerabilities. This retrospective analysis helps refine your prioritisation criteria and identify gaps in your vulnerability management process. You might discover that your organisation consistently fails to patch vulnerabilities with certain characteristics, revealing opportunities for process improvement.
The relationship between vulnerability scores and real-world exploitation also informs threat hunting activities. Vulnerabilities with rising EPSS scores deserve proactive investigation to determine if threat actors have attempted or succeeded in exploiting them in your environment before they escalate to full incidents.
FAQ
How often do EPSS scores change?
EPSS scores update daily based on new threat intelligence, exploit code availability, and observed attack patterns. A vulnerability’s EPSS score can increase dramatically overnight if someone publishes exploit code or if security researchers observe widespread exploitation attempts. This daily refresh ensures organisations respond to the current threat landscape rather than relying on outdated risk assessments.
Can a vulnerability have a low CVSS score but a high EPSS score?
Yes, this happens when a vulnerability has modest technical severity but attackers are still actively exploiting it. For example, an information disclosure vulnerability might receive a CVSS score of 5.3 due to its limited impact. If attackers use it as an initial access vector in widespread campaigns, it could have an EPSS score above 0.7. These vulnerabilities often deserve higher priority than their CVSS scores suggest.
Do all vulnerabilities have EPSS scores?
Most vulnerabilities in the National Vulnerability Database (NVD) have EPSS scores, but newly disclosed vulnerabilities might not receive scores immediately. EPSS requires some initial data about threat activity and vulnerability characteristics before generating predictions. Additionally, vulnerabilities affecting proprietary or niche systems may lack sufficient data for accurate EPSS scoring.
What EPSS score threshold indicates urgent action?
While no universal threshold exists, many organisations treat EPSS scores above 0.2 (20%) as worthy of elevated priority, and scores above 0.7 (70%) as requiring urgent action. However, your appropriate threshold depends on your risk tolerance, industry, and available resources. Organisations in high-risk sectors might set lower thresholds, while those with robust security controls might use higher ones.